Imagine you are in your kitchen, making some morning coffee. You need a spoonful of sugar, and naturally, you search it in your shelf (or atleast this have been the case till now).
We can bring a little twist in this routine, by adding a Burglar. Imagine the burglar hiding the real sugar container on the top of your book shelf and replacing a container of rock salt labeling it as Sugar in the kitchen shelf.
By habit, which shelf would you look up to naturally?
Obviously you'll open the kitchen shelf and bombard your coffee with rock salt, damaging your whole day !
That's the burglar performing DLL hijacking but in much less damaging way. Let's dive deep into the technical terms, analysis and flow of the overall attack ๐งโ๐ป.
What a DLL actually is :
DLL - DYNAMIC LINK LIBRARY
It is a file containing your important data that multiple programs or file in your applications can use simultaneously. By sharing a dll to multiple programs, memory is efficiently used.
It typically resides in the System folder of your device.
How a DLL attack is planned :
For a DLL hijack to happen, the attacker needs an attack vector to get into the victim's system.
Attack Vectors are methods to get an unauthorized access into someone's system. Many of the famous attack vectors include -
Phishing - When an attacker sends you malicious message or mail acting as a trusted authority, making you give up your sensitive credentials.
Malware - When downloading some software or clicking some links injects your device with a harmful software.
Social Engineering - When you receive a call or messages asking your credentials, promising you to get your benefit out of it.
After getting in your system, the attacker plants a harmful DLL file that when accessed from your application, will damage your application, sometimes giving the attacker the data he/she wants.
This attack is typically hard to detect as from your point of view, you are accessing a DLL that your application wants, and there is nothing wrong with it, unless you see the contents of that DLL.
The flow of DLL hijacking :
Let's say the attacker have gained access to victim's network. Now just the injection of deceptive DLL is that's left.
We first have to understand how an application searches for DLL in order to get it to the wrong one. There's a term called DLL search order, lets understand how that works.
It works in 2 modes :
Safe DLL search mode Enabled
Safe DLL search mode Disabled
In Safe DLL search Enabled mode, the flow of searching for a DLL file priority goes as follows:
The directory from which the application is loaded.
The system directory.
The 16-bit system directory.
The Windows directory.
The current directory.
The directories that are listed in the PATH environment variable.
In Safe DLL search Disabled mode, the flow of searching for a DLL file priority goes as follows:
The directory from which the application is loaded.
The current directory.
The system directory.
The 16-bit directory.
The Windows directory
The directory listed in the PATH environment variable.
Notice how the ordering of Current directory is different in both modes. In safety enabled mode, the current directory is prioritized at last, while in other, it is prioritized a little more.
That's exactly where a possible hijacking can take place.
Imagine a situation in which your application wants it's needed DLL file which should originally meant to be searched at C:\Windows\System32. BUT the application have not been provided with any instruction to go and fetch the file from there.
Now the application (having no clue of where do you want it to get that file from) will search the file in current directory. This is where the attacker have injected the malicious file in. This is the exploit the attacker's been waiting for. At this point, the application will accept the wrong, harmful DLL.
Precisely, the wrong file also mimics the digital signature, verifying wrongly that it is an authenticated file.
Prevention and measures :
The identification of such infected files need a whole new article, but we will be closing this topic with some prevention measures you can take for this type of attack.
Keeping your software up-to-date.
Make sure to not fall any phishing traps.
Practice the latest cybersecurity measures and educate yourself constantly about this types of hijacking and injection attacks.